Editors note: this article was written last year in conjunction with RiskLogic’s Cyber-Awareness campaign. We are repromoting for 2017’s Cyber awareness month.
The Business Continuity Institute brings you another year of stats to help really put into perspective what the issues facing organisations are. Here is a break down of the 2016 Cyber Resilience Report. These numbers were researched and put together by Senior Communications Manager, Andrew Scott CBCI.
As I mentioned last week, BDO had stated in their cyber awareness workshop that one organisation would receive on average 17,000 attacks in 2016. By 2020, this is going to cost companies a staggering $3 trillion USD.
The frequency of these cyber incidents demonstrates why it is important for organizations to have plans in place to mitigate against these kind of threats, or to lessen their impact.
This has clear implications for the time taken to return to business as usual, and the ultimate cost of the incident to the organization.
Even if organizations wish to respond immediately to a cyber attack, the nature of the attack may render them unable to do so.
All these forms of attack will, in different ways, render an organization’s own network either contaminated or inoperable. An example of a company in New Zealand who a few years ago disappeared off the face of the earth reiterates this.
They’d realised one afternoon someone was in their system, just sitting there waiting (which can be more worrying than if they’re actually attacking). The organisation took the first meaningful step and completely disconnect the whole business. 150,000 customers are contacted to change their passwords. Over two weeks the IT team rebuilt the company up from scratch. Confident that no hacker could get back into something completely rebuilt like this, they gained the stakeholders trust and invested millions into fixing this as soon as possible. On a Friday afternoon at 4:30pm, the business was ready to switch back on. Once they had, their CIO had been informed that the hacker was there again, waiting, back in the systems. His inevitable attack lead the company to loose a further couple of million dollars and send them to bankruptcy.
David James-Brown FBCI, Chairman of the BCI, commented: “This piece of research is one of the most timely, insightful and relevant the BCI has ever produced. Cyber attacks tend to target the weakest links of an organisation, and this calls for a greater awareness of ‘cyber crime’. As the cyber threat evolves, it is crucial to stay on top of it, building long-term initiatives and regularly updating recovery plans.”
Rickie Sehgal, Chairman of Crises Control, said: “Rapid communication with employees, customers and suppliers is vital for any company in terms of responding effectively to a major business disruption event such as a cyber attack. When your business is at risk, even a one hour delay in responding to an incident can be too long. Taking more than two hours to respond, as almost half of companies do, is just unacceptable.”
RiskLogic offers a comprehensive training course on cyber resilience and how your organisation can remain prepared and secured for when an attack occurs. Our experienced and credible consultants are well prepared and ready to assist you in your cyber journey. Contact us now to arrange your obligation free consultation on this.
Written by Brad Law, Senior Manager, Resilience Services & Country Manager NZ & Ollie Law, Commercial Marketing Manager
Just over a year ago, I was sitting down to lunch with a client in Wellington. It was a rare, beautiful day with a nice buzz of students and frantic businessmen walking around us. We were about 300 metres away from the Beehive (Executive Wing of the New Zealand Parliament Buildings) and my client leant over to ask, “What do you think is the most likely and unlikely organisation to be hacked or targeted by cyber-terrorism?” After very minor thought, I concluded that anything to do with the Defence Force is not only a huge target for any budding hacker, but surely, it’s also the last place that would allow that to happen, right? Wrong!
As of Tuesday 10th October 2017, an Australian Defence Contractor has had highly commercially sensitive information on the build and design of new fighter jets, navy vessels, and surveillance aircraft stolen.
The Facts as we know them:
Dan Tehan, the minister in charge of cybersecurity, confirmed the hacking had taken place and was targeted towards an unknown contractor.
The hack itself took place over a few months, without any defence or internal networks picking up the attack.
24 hours after the news broke, Australian authorities researched and criticised the defence contractor for “sloppy admin” concluding that in fact, anybody could have penetrated the company’s network and that they were “surprised it hadn’t happened sooner”.
During the investigation of the hack, it was found that hackers had exploited a hole in the IT helpdesk portal where no staff member had updated the 12-month old vulnerability. Literally leaving a door wide open for even the most amateur of hackers to enter.
Furthermore, the Australian Signals Directorate (ASD) found that the contractor had not updated any of its key passwords and entry codes for any internet facing servers in many, many months.
It has recently emerged that the admin password used to enter the company’s web portal was ‘admin’ and the guest password was ‘guest’. An unbelievable fact in terms of the contractor’s field of work.
ASD incident response manager Mitchell Clarke told a conference in Sydney on Wednesday (11th October) the hackers targeted a small “mum and dad type business” — an aerospace engineering company with about 50 employees in July last year. This means the hackers were experienced enough to go through a third party/supply chain of the main contractors first, again exploiting a hole in the continuity of the whole program.
Clarke noted, “It included information on the (F-35) Joint Strike Fighter, C130 (Hercules aircraft), the P-8 Poseidon (surveillance aircraft), joint direct attack munition (JDAM smart bomb kits) and a few naval vessels.”
This particular firm has been confirmed as a fourth level contractor to the main Defence Force. This means the hackers could still get into the main information via a partner of the organisations – four levels down!
Why aren’t we learning?
Less than six months ago, the biggest cyber-attack to ever hit the internet occurred, WannaCry. The simple lesson learned from this should have been to update all networks, computers, and passwords. This can be done in a few hours depending on the size of your organisation.
If we break down the facts of this case, there are some key questions and discussions coming up:
- The Defence Force should have had a plan in place for all associates of their organisation?
- Why did no one check supply chain security, but are still blaming them?
- The usernames and passwords were not adequate. This should have been noticed earlier.
- How does a hack lasting nearly 12 months not get picked up?
- Is the idea of a foreign state hacking a concern?
The answer to that last question is no. In fact, foreign state powers trying to hack each other has happened since the internet was first set live – it’s nothing new. The key question here is more about the order and control of their supply chain in the first place.
What might happen now?
Nothing is likely to happen. Like with most hacks, it’s an opportunity to boast how good you are at it. The most likely scenario now is a ransom put on the return of the information. Or, we may never hear about this again meaning it’s been taken higher.
The ASD, for now, has dubbed the hacker “ALF”, after a character in the TV soap opera Home and Away. At least they’re seeing the humorous side to all this!
Mr Clarke described the security breach as “sloppy admin” during his press conference. Most IT people could spot holes in the system, it’s the higher authorities who should have put checks in there in the first place.
What you need to do, right, now!
If you didn’t already do this in May following the WannaCry cyber-attack, go and ask your IT team when the last time they changed passwords.
You need to then check how up to date your security systems are.
Then most importantly, you need to get in touch with any third parties you’re associated with and your supply chain! As stated by Alastair MacGibbon the Special Adviser on cyber to the Prime Minister, on breakfast news, “this is a supply chain issue, not the Governments fault”. Sorry Alastair, you can’t blame your supply chain, the responsibility for a disruption remains with the company.
If, for example, you were an airline based in Australia, you will have hundreds of supply chain dependencies, even right down to the travel agent. There would be many websites and potential gateways to stay on top of. Starting to work these out and know what is what will maintain your resilience.
Your DRP (Disaster Recovery Plan) and ITDR need to be looked at, right now. Even if you looked at it last week, you need to double check it’s up to date and where it needs to be.
Coincidently, I’m about a day off finishing my article on the Auckland Fuel Crisis follow up. In this, I discuss contractors and how we often look to blame third party when something like this happens. In fact, your stakeholders aren’t going to do that, neither is the media.
We still don’t know officially who these contractors were, but we’re all happily blaming the resilience of the Defence Force here when really, many authorities and people are involved.
I will be following up this story as it progresses as I believe it as being a huge eye opener for Australian and New Zealand organisations.
RiskLogic specialise in modules around Business Continuity for your supply chain. We’ve been doing it for over a decade. As well as this, we have industry leading cybersecurity modules & plans for all types of organisations. Our senior consultants and trainers live and breathe this daily across Australia & New Zealand. If you’re concerned about possible holes in your supply chain or cyber-security, give us a call now, obligation free.
Until then, plan, do, check & act…
Written by Ollie Law – Commercial Marketing Manager NZ & Brad Law – Senior Manager, Country Manager NZ.
Let’s pretend that you’re the owner of a fast food franchise in Surry Hills, Sydney, or Kensington, London, or Beverly Hills (pick one), and that your clientele sits in the middle-class bracket. They’ve got acquired taste and preferred service. They usually don’t eat in such an establishment, but thanks to your continued growth, the care you’ve put into the decoration and the location of said restaurant, you’re getting decent traffic through those doors.
Then a few years later, about two blocks away a new franchise opens – the same brand. These guys don’t care as much as you and have treated these customers poorly, in some cases even stolen their details from them. The reputation of the brand itself starts dropping and you notice a considerable lack of customers until they’re eventually all gone.
Now, imagine that this fast food restaurant is your website, the new franchise down the road are hackers, your front doors are Google and your clientele is…well, your clientele. That’s currently what is happening to your website thanks to the new SSL certificates being put in place across the web.
What is an SSL Certificate?
Yes, more acronyms to try and remember. SSL stands for Secure Sockets Layer and in a nutshell, it is a protocol which creates a secure connection between a client/user and the server over which to send data, messages and information. These are sent via a cryptographic system that sends two keys to encrypt data – in other words, to keep your usage private and secure.
For us Joe Bloggs out there, you can usually tell whether a URL (web address) requires an SSL connection by checking if it’s got HTTP or HTTPS (SSL Certified) at the beginning.
That SSL Certificate sends really important information back to search engines like Google and Bing. It tells them the sites location, it’s owner, physical location, domain name and all the bits in between that Google recognises as being trustworthy.
What changes are coming?
I’m not going to go into all the technical information you need to really know about this, as chances are you’re a BC professional and you have an IT team or person you can go seek reassurance from. Chances are they’re already on to it and have maybe even started the process of getting your website certified. Your involvement here, however, covers the questions of why is Google introducing this now? Why has my team not told me this is happening? Is it important?
Symantec reports that up to 73% of web users choose Chrome as their primary browser. Google is very aware of these figures and has taken very drastic and precautionary measure since two major hacks that have happened this year.
Google wants your site to be HTTPS supported. They want you to move your secure URL onto this to help slow down the efforts by hackers. Their way of making you take action by blocking certain websites that are not supported. You’ll know this is the case when you get a pop up like this (if you’re on McAfee):
Lack of security on your site is going to be detrimental to how much traffic you’re getting and maintaining your image of being a trusted site.
Again, unless you personally contact us, I won’t bore you with how to secure an SSL Certificate, but you need to be checking that you have one and get your IT team on to it if not.
Why these changes need to be taken seriously in the resilience world
You must ask yourself, why is the biggest organisation in the world, the number one search engine and quite possibly the owner of all things web, worried about everyone being so certified? Have things really gotten that bad that even Google want all HTTP sites to be converted? Yes, they have.
The world has never seen such high numbers of cyber attacks as it does today. Computers in the billions are being hacked daily for all sorts of reasons. Currently, Google is well and truly losing the battle of ensuring the websites they push are safe (hence this new initiative).
Resilience providers like RiskLogic will tell you and other organisations every time we meet that cyber is the number one threat. I think everyone gets that now, so what else has to happen other than Google changing their certificates for people to start taking this seriously? It’s not just your work laptop that’s under threat, it’s personal systems too. Hackers don’t care.
These changes need to be understood and acted upon, right now. We are resilience experts and should stay on top of these initiatives to help keep our organisation safe and our stakeholders happy.
What you can do now
There are two things.
1. Talk to your IT team and understand their position here.
2. Have a look at our Cyber security program.
You should be asking your IT team if your websites are certified… Otherwise, you may be losing traffic, you are now extremely vulnerable to a successful cyber-attack.
If they’ve not got one yet, it’s time to plan on how you’ll get one and what provider you’ll use. Name.com offers a variety of options for starters. Then do it, get it certified. Send a bulk email to your whole organisation to check they can get on the website – are there any issues? Finally, act on your changes. Was there anything you learnt about this process that could be streamlined if it’s needed to be repeated?
Our Cyber Resilience program is a fantastic way to streamline this process and your wider resilience strategies for your organisation. We’ve teamed up with Chris Watts, Cyber Security Specialist and dozens of other IT professionals to put together concrete, credible and responsive plans to all things cyber. We can develop a Cyber Security Incident Management Process to map out elements of IT preparedness, identification, containment, eradication, recovery and follow-up. This plan will tie directly into existing policy & frameworks including escalation, activation of teams, response and recovery activities.
Want to know more? Drop me a line or make a comment below for an initial discussion.
Until then, plan, do, check & act…
RiskLogic are pleased to announce that for the fifth time, BC-3 has been nominated for Continuity and resilience provider (service/product) 2017 for the BCI Australasian Awards to be held on the 31st of August.
Following recent successes as being named in the Gartner 2017 list , BC-3 has also been recognised as a leading software by DRI 2015 Conference, BCI Global awards, BCI Asia, CIR winner for 2012 & 2013 and Global Best BCM Software Award five years in succession.
“We are proud to be associated with the ClearView product and this win is indicative of what the BC-3 product has come to represent as a global leader in the business continuity software space. It truly shows that BC-3 is making a big difference to enterprise wide business continuity programs across the globe.” – Joshua Shields, Joint Managing Director
In addition to this fantastic achievement, the Activate application and portal run by sister company, FirstAction has also been nominated for Continuity and resilience innovation 2017. For such a young technology solution to be nominated and recognised in this environment is a testament to the hard work and dedication put behind this game-changing product by the RiskLogic and FirstAction team.
Recently adopted by Apple Inc., Activate has hit the market running providing Australia with technology specifically designed to help you save lives. Being nominated for an award like this so early in its life cycle has only come as further proof to General Manager Phil Archer of its capabilities.
“…our business is very excited to be recognised and nominated as a finalist for the BCI Australasian Awards for 2017. Activate, our game changing emergency management app has been shortlisted at this year’s awards which only adds to the excitement of the app. This is a wonderful achievement for our passionate & dedicated team of emergency management professionals who ultimately empower organisations to Save Lives!”
RiskLogic is proud to provide Australia and New Zealand with such a powerful, significant systems for organisations to adopt and thrive off of. We look forward to the results later this month.
Written by Ollie Law – Commercial Marketing Manager & Simon Petie – Senior Consultant, Queensland.
On November the 11th, 2011, Australia, and in particular the Gold Coast found its fifth bid to host the Commonwealth Games successful. Next year (2018), the Gold Coast is going to have an influx of electric-excitement and spectator-chaos around what we’re now officially calling the XXI Commonwealth Games. With the opening ceremony locked in for April 4th, 2018, emergency services, visitors, residents, councils, and organisations have ten months to prepare for what is no doubt going to be an Australian wash out event.
One of the key reasons the Gold Coast won its bid for the games was its planned venue situation having 80% of the required venues already built and ready. Transport as well boasted only 20-minute driving time to the Athletes village while public transport screams success for a city that has perfected its light rail system – which will connect a number of key venues together.
In 2015, England hosted what was called Rugby’s greatest ever World Cup event. South Korea have already spent billions on its readiness for the Winter Olympics next year while Russia does its magic for the Football world cup next year also. With what seems to already be a successful 2018 for sports, we could be in for an enjoyable and perhaps legendary event here in Queensland. The organisers are certainly aiming high for that.
I’ve spent the last six months preparing resource and content around how an event like this is going to affect local organisations, and how by using Business Continuity during the event, you will not only survive but thrive off of the stampede of sports about to hit your doorstep.
Getting your BCP in check now
Regardless of what area of business you’re in, your transport and supply chain is going to be affected during the events. The Gold Coast will see an influx of anywhere between 690,000 to 700,000 visitors during the games. With these increased demands on the transport systems, local, smaller businesses are going to be hugely affected. During the London Olympics 2012, small, inner-city businesses recorded a 65% increase in wait time for deliveries and supply chain access.
Your workforce planning and operations need to be looked at now in ways to minimise this disruption. Minimising impacts on business and supporting continuity is a key focus of the background transport task. Even if you’re an organisation that is not bound to a supply chain, you are still affected by smaller requirements like downtime during a blackout or any major, external support systems.
Your options around this are to seek alternative freight routes, talk early about the expected time delays and factor this into your daily objectives, workforce journey plans and how you can help get your team to work comfortably. As a business, you should be consulted early from your suppliers on how they’ll get around this. If not, you need to be making those calls now.
You should be planning your resilience around situations like this early, you have ten months!
Know the plans for GC2018
The local councils and Government will already have their plans written, signed off and printed for the games. Chances are, they didn’t send you a copy of these! Key routes in and out of the city will be disrupted and even closed. Freight operators would have already decided on new routes, public transport too. Now is the time for you to be finding all this information out, whether it be for your supply chain, or simply so your staff know how to be getting to work.
Freight movements will be restricted in venue precincts during competition hours. The freight industry and affected businesses and residents will be engaged by the GC2018 transport partners to ensure issues are identified and addressed, and to minimise disruption to freight operations. This will start happening as early as a month before the events.
Many strategies will be proposed to freight operators, business, and residents to support freight operations during GC2018. They include:
- Where possible, limiting freight requirements during GC2018
- Moving delivery times outside of competition times
- Reducing the size of delivery vehicles entering venue precincts (meaning smaller loads)
- Alternative freight routes and, where possible, avoiding use of the Core GRN and the Gold Coast Highway
- Avoiding travel through key Gold Coast precincts such as Broadbeach, Surfers Paradise, and Southport during competition times.
Does this affect you? Does this affect your suppliers?
How we can learn from past impacts
From my perspective, these points already raised and shared with local Gold Coast businesses seem very light compared to the wider picture. Many more organisations will see an effect on their day to day running while the event is on.
We’ve seen businesses disrupted by events on this scale before in Australia, specifically during one of the largest Olympic games in history, “Games of the XXVII Olympiad”. The games of the Millennium hosted in Sydney in 2000 cost the country an estimated $6.6 billion but was regarded as “one of the most successful events on the world stage” and that “IOC should quite while it’s ahead…there can never be a better games”. With only six years of planning for what was a spectacular event, the country learnt some valuable lessons very early on.
With initial slow ticket sales and failure of meeting it’s initial budget, Sydney skyrocketed passed its budget by only year three of its planning. To compensate for this, small taxes started to rise. The media then got hold of this and potential shortcomings were being highlighted before the 1996 Atlanta (US) Games had even started.
There was also concern about potential problems during the Games. The public transport
system was one of these concerns, as were airport congestion, city traffic, security threats and the cost of running Olympic facilities after the Games. The international media’s reporting on Indigenous issues also caused authorities concern.
Despite all the negativity from the media, the staging of the Sydney Olympics was an unqualified success. The predicted trouble spots did not eventuate. Public transport was a problem, just before the Games, however during the Games, the entire system ran smoothly. In fact the whole of Sydney ran better than it usually did. This was partly due to the fact that schools closed for three weeks, many offices closed and staff took leave for the entire period. A party atmosphere reigned throughout Sydney, a party celebrated by visitors and locals alike.
Although CG2018 is unlikely to reach this scale, we can minimise the impacts and examples learnt from this event and mirror them to what we know today. Just like the 2000 Games, you should expect huge disruptions across all business areas. Business need to be thinking about revising their Business Impact Analysis prior to the CG2018 in order to understand their critical business functions and dependencies.
Let’s get everything in order
Establishing a robust BCM (Business Continuity Management) Strategy now is the best method for understanding possible disruptions. I’ve spent months already speaking with current clients and contacts around how understanding your critical business function and dependencies needs to be done now.
In these meetings, I continually point my opposite towards the CG2018 Organisation Committee, who, to their credit, have done a good job on relevant – up to date information. This is the sort of information you want to be keeping an eye on weekly. One of my clients has even appointed a junior to check up on this information weekly and bring to their WIP meetings if necessary. Small steps like this will allow businesses to plan and prepare for any disruption in the lead up to the games.
By visiting all these steps now, you’re allowing yourself ten months to comfortably get through the event. The Commonwealth Games 2018 are going to be running, cycling and jumping right outside of your front door, it’s important you are ready for this whether you like it or not. It’s important that you know how to thrive as an organisation during this time.
Over the next ten months, I will be using my time, resource, and experience to help multiple organisations plan and prepare through unique and specific BCP’s for the games. If you’d like to discuss how RiskLogic can help you as well, drop me a line today.
Call us on 1300 731 138, email firstname.lastname@example.org, you can also find Simon in Brisbane:
Level 29, 1 Eagle Street
Brisbane QLD 4000
The new office is located on Brisbane’s Waterfront at 1 Eagle St, Brisbane City. If you’re a Queensland based organisation seeking advice and solutions on how to build your Resilience, contact Simon Petie now on 1300 731 138, mobile 0421905829 or on email at email@example.com.
- Position yourself with a market leader in critical incident / emergency management
- Manage a diverse range of clients across multiple industries
- Competitive remuneration, excellent career progression
To support our Melbourne practice, we are seeking a motivated and results driven business professional with proven experience in emergency and critical incident management or related disciplines.
Our vision is to work with inspired people to build meaningful organisations that contribute to a better tomorrow. At RiskLogic we do this every day by empowering people to successfully navigate the worst of situations, events like cyber-attacks, terrorism, physical disasters, health epidemics to name a few. With the right tools, training and experience we help people safeguard what’s important to them, helping to build a more Resilient Future.
RiskLogic is a market leading consulting and technology company that works with corporate, not-for-profit and government clients throughout Australia and New Zealand. Our team makes a real and tangible difference to our clients and their success in a constantly changing threat environment.
This is a key role with tremendous scope to make a real impact during an exciting expansion phase of the business. RiskLogic offers a fast paced and results driven environment with competitive remuneration and excellent growth potential.
You will be responsible for the delivery of both operational and strategic client focused emergency and critical incident management solutions, to a diverse range of industries and clients. This role will also have exposure to business continuity service delivery.
This consulting role will allow you to prepare our clients for managing emergencies and incidents. For example: active shooter, terrorist attack, bush fires, extreme weather, incidents in mass gatherings. Specifically, you will:
- Oversee and contribute to client deliverables (eg procedure development, training and exercising) across emergency management and critical incident management
- Build and maintain strong client relationships across numerous industry sectors
- Contribute at industry events, seminars and conferences on behalf of RiskLogic
- Secure new business development opportunities
- Oversee project profitability and other key performance indicators
- Assist with building local strategic alliances and partnerships
- Contribute to ongoing quality management and continuous improvement activities
- Collaborate with other internal divisions to provide integrated client outcomes, i.e. business continuity, crisis management and technology solutions
- Be in a position to service clients across Australia, including the occasional interstate travel
- Minimum 5 years’ experience in delivering relevant services, ideally within a consulting environment
- Minimum 5 years’ experience working in an emergency management tactical environment
- Minimum 5 years’ experience facilitating training sessions and exercises
- Demonstrated ability to create, build and maintain strong relationships at all levels
- Exceptional project management and organisational skills
- Ability to problem solve and influence project outcomes
- A performance driven mindset and strong commercial acumen
- The ability to adapt to diverse environments and manage multiple priorities
- Strong presentation, training and facilitation skills
- A strong drive for continuous improvement and delivery of quality outcomes
- Self-motivation, with a proven ability to effectively work remotely from managers and other team members
Work with us!
We’re a team of diverse and passionate enthusiasts. Everyone is empowered by exploring and implementing innovative ideas and improvements. We’re growing, which means lots of opportunities and we make these opportunities real by helping you get there. We thrive and collaborate in an open activity based workspace, utilise the latest technologies and provide a great culture for you to thrive in. As an integral member of the RiskLogic team, you’ll model our core values with your words and actions: Integrity. Passion. Innovation. Performance.
If you have the skills and experience required for this role, we look forward to receiving your cover letter and resume. For further information, please email Iolanda Hazell, People & Culture at firstname.lastname@example.org
At the Business Continuity Awards ceremony held at the prestigious London Marriott Hotel, Grosvenor Square on 8th June, ClearView (BC-3) wins the Award for Best Business Continuity Management Software for a record fifth year in succession, against competition from around the world. RiskLogic brings BC-3, under its global label ClearView to Australia and NZ, the web based business continuity tool that allows organisations to effectively command, control, and coordinate all of their business continuity capabilities.
The judges praised the software for its role in helping organisations of all sizes in all parts of the world to achieve their BCM objectives; delivered and supported by a team with significant industry knowledge and with excellent customer service.
Charles Boffin, CEO of ClearView says:
“This is an outstanding achievement and one of which the whole ClearView team is very proud. We are delighted to have been judged by leading industry figures as the best software yet again, truly establishing us as a global leader. Our continued focus on making the complex challenge of effective BCM framework/process management a simple, straight-forward process for all users in an organisation remains at the very heart of everything we do. ”
Joshua Shields, Joint Managing Director of RiskLogic says:
“We are proud to be associated with the ClearView product and this win is indicative of what the BC-3 product has come to represent as a global leader in the business continuity software space. It truly shows that BC-3 is making a big difference to enterprise wide business continuity programs across the globe.”
Charles Boffin (CEO) and Ian Crabb (COO) of ClearView received the award from Scottish Continuity together with Mark Watson, who was the evening’s host.
More details of the Awards can be found at www.businesscontinuityawards.com
Manager, Technology Solutions
1300 096 190
Written by Simon Petie -Senior Manager, edited by Ollie Law – Commercial Marketing Manager.
Severe Tropical Cyclone Debbie that hit on March 28th, 2017 was the strongest tropical cyclone to hit the Australian region since Cyclone Quang in 2015. She was branded the most dangerous cyclone to impact Queensland since Cyclone Yasi in 2011. Forming as a tropical low on the 23rd March, the low gradually intensified to a named tropical cyclone on the 26th March. After steadily strengthening offshore to a Category 4 system, Debbie eventually made landfall near Airlie Beach, just north of Proserpine, at around 14:00 AEST on the 28th March. Afterwards, Debbie rapidly weakened into a tropical low by late on the 28th March but continued to travel south, causing significant damage and flooding in the populous areas of South East Queensland and Northern Rivers of New South Wales. The cyclone was so powerful, it found its way over to New Zealand where it caused even more havoc and flooding.
The cyclone will cost the government $420.2 million in damages not to mention the emotional toll it’s going to take on the people worst affected, including those who lost their lives. But this article is to discuss what we did right and what we need to change from the perspective of a Senior Business Continuity and Crisis Manager who found himself right in the mix of this very wet and windy situation.
On March 29th, I found myself in the RiskLogic HQ about 15 calls deep by 9.15am and right in the middle of our most major software release the following day. If it wasn’t for my phones robust battery life, I’m not sure what my clients would have done? This event however really put across some key points and arguments about how we, as businesses, as Australians even, are dealing with such events.
“Are we actually in a crisis Simon? Should we activate the team?”
It’s an important question and one we spend many hours in our training sessions trying to teach you to answer. You need to assess the facts, you need to plan your steps, act on the news given, check everything is in order and get on with it. A cyclone bringing winds of 200kph and rain of 39 inches is heading right towards you…yes, you’re in crisis mode.
I’d like to focus my attention however onto the Queensland schools. We are lucky to have a few clients based in education up north and I found myself really engrossing myself in their situation. Here are the facts:
On the 30th of March, the Queensland State Government took the unprecedented step of Closing Schools and Child Care Facilities from Agnes Waters to the New South Wales Border in preparation for a severe weather event forecast to occur that afternoon.
The Queensland Government also publicly urged all businesses to send their staff home on Thursday.
At 10:00 am, the Government extended the School closure through until Friday (highly publicised over the News). The interesting thing here was businesses were not advised to stay closed until Friday, so why only Schools?
By Friday, the typical phrase “the weather man got it wrong again I see” was hitting the streets hard. So wrong in fact there was almost no rain, little wind and if anything, perfect post-work beer weather!
It seemed that the original panic and communication only encourage locals to not believe the hype and get back into their day to day tasks.
The decision to close schools occurred after 7:00am on Thursday (most parents were informed by about 8:10am), with some schools only closing at 10:00am. The timing of this decision sent South East Queensland into a crisis as parents found it difficult to get back to schools to pick up kids and arrange care. Remember, most of these same parents worked for businesses that were also being told to close!
In many cases, teachers were required to remain at the schools anyway as all children were unable to be picked up. This now meant a relatively high level of people were still not home safe.
Once the news got out to close these schools, I observed the pure havoc that was unfolding. Alternative arrangements needed to be made by multiple businesses for parents, teachers and the kids. By the afternoon, I started making phone calls and getting even more of the facts. In particular, businesses were contemplating charging parents a ‘carers day’ or a full ‘leave day’ out of their leave book as a result of the government’s decision and the school closure day Friday. Does that seem fair? Did we move through this major disruption with our heads in a positive place? I think not.
National Brisbane based businesses, for example, call centres, were now unable to fulfil their critical functions due to a lack of staff who were ‘told by the government to go home’. By now, before the storm had even hit, before it even started raining, the financial impact across the state was in its hundreds of millions.
The thing that made this worse though was that great ball of fire hanging above our heads come Friday morning! The sun wasn’t just up, it was out and shining – causing some obvious backlash and frustration from the public.
You have to ask yourself here, although people were obviously the priority of the Government, was the assessment made across all impact categories including reputation and legal compliance the right ones? Could the timing of the decision been thought out a little better? Could schools have closed at a later time, 10:00 am or Lunch, to allow parents the time to organise pick-ups and care, and businesses the ability to coordinate business continuity?
The decision to extend the school closure until Friday based on information available at the time seemed incorrect to most and now appears incorrect with hindsight. Could we have reassessed and made it Friday morning, say 6.30am?
Was information updated as much as it could have been? Do the government and available communication points need to be updated and keep to consistency for Queenslanders?
From my perspective, the decision to close schools on Thursday was sound, it limited the number of people on the roads and mitigated against the increased risk of the severe weather system. The decision to extend the closure of schools through to Friday was not. It was made in haste without the facts to support it which is still so common when trying to assess a crisis.
Some schools would have required to remain closed due to flooding or potential flooding, but the blanket closure of schools across South East Queensland into Friday was extreme and created impact rather than mitigated against a threat. Hence why my phone wouldn’t stop ringing that Thursday!
“Are we in crisis mode yet Simon? Should we activate the team?” Upon reflection, I now see why I was asked this so much.
Were you directly affected by this decision as well? Do you have kids in school and what did the closure mean to you? Let me know in the comments.
Written by Brad Law -Senior Manager, Resilience Services & Country Manager NZ , edited by Ollie Law – Commercial Marketing Manager.
I’ve been back working in New Zealand now for about two years on and off. During this time, I’ve witnessed four significant unexpected events/natural disasters. The more recent ones being in the form of earth shattering quakes and last month when the Port hills turned into a blazing wall of hellfire down in Christchurch. With these constant reminders and the influx of scare tactic messaging by the media, you’d think that organisations, at least in New Zealand, would have fixed their Emergency and Crisis Management plans out. But you’d be wrong to think that.
To this day, it still baffles me how many (quite high profile organisations) haven’t got this sorted, something has to change.
It’s easy for these messages and blogs I produce to come across as a way to obtain business, but it’s more than that, it’s about protecting lives and lively hoods.
Is your organisation prepared to stand in front of media and stakeholders and explain why you’ve obtained loss?
Are you ready to have complete control during an event?
This article is going to cover off a few key elements I’ve identified during these local events:
1. Why are the emergency services not communicating with each other?
2. Are paper plans the best approach to a response to an emergency?
3. Why has it taken a real event to get some organisations ready and others that still have nothing?
I’m interested to hear your thoughts in the comments below. Let me know if you feel these major events have produced a new level of awareness which may translate to new or reviewed plans and if not, why not?
Emergency Services and their communications problems
From September 22 to October 4, 1970, 773 wildfires in Southern California, burned 576,508 acres, destroyed 722 homes and killed 16 people.
From these 13 days of death and destruction by out-of-control wildfires in the Urban-Wildland Interface, a Federally-funded project was created in California called the “Firefighting Resources of Southern California Organised for Potential Emergencies” or otherwise known as FIRESCOPE.
A need was identified to develop a system whereby different agencies could work together towards a common goal in an effective and efficient manner. For many years, local fire departments, police departments, EMS units and emergency managers operated within local incident management systems (IMS) that varied according to local historical and political experiences. Something had to change and this resulted in The National Inter-Agency incident Management System (NIIMS) being developed which was later adopted in the early 1980’s by Australia, renaming it to Australian Inter-service Incident Management System (AIIMS). New Zealand has since adopted the same incident management structure and renamed it to Coordinated Incident Management System (CIMS).
Fast forward to Feb 2017 and the Port hills in Christchurch are ablaze after two fires break out in the Early Valley Road in Lansdowne near Halswell and Tai Tapu.
Lansdowne is the eastern extreme of Selwyn District, and the Selwyn Rural Fire Authority assumed control in fighting the fire. Questions have been asked as to why a Rural Fire authority was in charge of coordinating the response and Christchurch’s Mayor Lianne Dalziel and Sam Broughton conceded there was a “breakdown in communication”.
Complaints from the public about communication also begs the question, has New Zealand learnt anything from the Christchurch EQ of 2011 and is NZ Civil Defence able to provide clear and concise communication?
Having a structured Incident Management System in place will greatly improve the coordination of all services and communication to key stakeholders, in this instance, the homeowners under threat of losing their properties.
Time and time again we see communication as being the first thing that breaks down during a crisis. The emergency services responding to the Port hills were made up of many volunteers and they did a great job. However, someone at the senior leadership level of civil defence needs to take control of communications and learn from this event.
Due to bad communication, the public, whom you would expect wanted answers, went looking. So now the emergency services have the issue of “rubber necking” which caused a congestion and threat to a live issue. An effective communication strategy should be based on the following initiatives:
- When to communicate
- How frequently
- Who to communicate to
- How to communicate.
Having this basic strategy in place may have solved some of the communication issues of the Port Hills fires.
We have to move away from paper
Green Peace will preach it, my son would as well and just about any new tech whiz working at Google; you just don’t need paper anymore! To me, paper plans for an emergency event that could ultimately lead to loss of property or at worst, life, don’t necessarily provide the most efficient way of assisting your response team.
Chances are, you know you need to move everything over to a digital layout but the information on this is overwhelming. There are several providers of Incident response software in Australasia alone. We wrote an article a few months back on how to search for the right one, I won’t discuss that today though, I’d rather talk about why organisations haven’t started looking.
November last year, Kaikoura went through a decent 7.8 earthquake. I wrote an article on the experience around this as well, but it was the information that came out after it that surprised me the most.
The evidence is out there, technology is solving communication and collaboration issues on a daily basis, taking the workload off the users providing a more efficient and timely response. Some of my clients have driven the need for change. With the best will in the world, time after time I see response teams during scenario simulations not being able to access their paper plans. They don’t know where they are, they only have one copy and it’s in the desk that is currently on fire, or their plan is 12 months out of date. With live in a digital age and the majority of people are never far from their smart devices. If you are never far from your smart device, you are never far from your response plan, contact lists, communication strategies and templates. One plan, one team, one place!
Throughout my training and scenario simulations, I often remind teams that it’s people that formulate a response, not plans. At the end of the day, whether you have a paper plan or a digital plan, you have to have a good team to use it. However, if you had a robot to cut your grass for you, you’d probably use it. I’m all about making things less stressful for a response team in a crisis. A digital plan may provide you with:
- Command Team response (team players responding that are in different geographical locations).
- Workflow to aid decision making.
- Communication strategies to formulate effective timely communication to key stakeholders. Write your templates for your messages before you have an event!
- Contact groups.
- Incident and impact assessment tools to assist the team.
- Fact boards and whiteboards for incident information logging.
- Storage for your other response documentation.
The sooner the response team develops situational awareness, the sooner they can respond. Going digital can greatly assist the team in doing this. Your goal should be to provide the team with the best tools to do the job, maybe digital is the answer for you, I’m certainly seeing more and more organisation adding it to their response toolkit.
Don’t go searching for water after the drought
A local provider of Emergency Kits had their highest revenue month in two years after that Kaikoura EQ, that says a lot to me.
I should really go and get one of those kit bags…
…I hear it all the time. “Yeah, we were pretty lucky to not receive that much damage”. You sure were Mr Common Citizen, unfortunately, it just doesn’t work like that though. Why is it still taking real events to convince people and these organisations based in the CBDs to act? I’m completely booked for BC reviews and training until the end of May, great for business but not a great look from the market. I had back to back meetings last November and now have even more after last month’s fires.
We’ve already worked heavily with Tauranga City Council, an organisation that embodies a culture of safety and awareness. I’ve never seen such commitment and input from everyone in that team and they should be immensely proud. Paul Baunton who is our main contact there has already listened to national and global problems and reacts to them on a local level. He has mastered the ‘it’s not if but when’ value and looks to always be one step ahead. They are an organisation that has had to put their plans and teams to the test, and they both delivered!
Stuff.co.nz just released another one of their infamous scare tactic articles this week on the inevitable 8.2 Earthquake that’s coming from the coast. They’ve been talking about this for decades now, “oh no Brad, this is the real one. They’ve found where it’ll localise and everything”. To this day, seismologist still can’t tell you when, how or how bad an EQ will strike, the media however, can give you not only the magnitude but the street it’ll be on!
“The South Island will be cut off”, “External emergency service will need to be brought in”, “…stretching across much of the island. Everyone in the South Island would be within the area of impact.”
The point is, it could happen within 300 years or more. So yeah, thanks for the article Stuff.co.nz but they’ve missed the point: this earthquake and many others will happen, what are you going to do now to prepare? You’re allowed to get on with your life, but just do it prepared. The time to enact phase 1 and 2 of your incident management response is now:
Stop leaving a real event to be the reason you act. Do it now, it could be the best decision you ever made!
To round off this article, I’m pleased to announce that in partnership with Tauranga City Council, RiskLogic has produced a comprehensive guide to introducing Business Continuity into your organisation, and how to build a community around this.
This whitepaper will be free to own and download and will be primarily sent out to all Government and Councils in NZ. Those who wish to read it are welcome to contact me personally or head to the download link on our website once it’s released.
Until then, plan, do, check and act…